📄 hookproc.h
字号:
/*
* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
*
* Module Name:
*
* hookproc.h
*
* Abstract:
*
* This module definies various types used by service operation (system call) hooking routines.
*
* Author:
*
* Eugene Tsyrklevich 16-Feb-2004
*
* Revision History:
*
* None.
*/
#ifndef __HOOKPROC_H__
#define __HOOKPROC_H__
#include "userland.h"
/* should the following calls be intercepted? */
#define HOOK_EVENT 1
#define HOOK_FILE 1
#define HOOK_DIROBJ 1
#define HOOK_JOB 1
#define HOOK_NETWORK 1
#define HOOK_MUTANT 1
#define HOOK_PORT 1
#define HOOK_PROCESS 1
#define HOOK_REGISTRY 1
#define HOOK_SECTION 1
#define HOOK_SEMAPHORE 1
#define HOOK_SYMLINK 1
#define HOOK_SYSINFO 1
#define HOOK_TIME 1
#define HOOK_TIMER 1
#define HOOK_TOKEN 1
#define HOOK_DRIVEROBJ 1
#define HOOK_ATOM 1
#define HOOK_VDM 1
#define HOOK_SYSCALLS 0
#define HOOK_DEBUG 1
#define HOOK_MEDIA 1
#define HOOK_BOPROT 0
#pragma pack(push, 1)
typedef struct _SERVICE_TABLE_DESCRIPTOR {
PULONG ServiceTableBase; /* table of function pointers */
PVOID ServiceCounterTable; /* used in checked build only */
ULONG NumberOfServices; /* number of services in this table */
/* extra LONG on IA64 goes here */
PVOID ParamTableBase; /* number of parameters */
} SERVICE_TABLE_DESCRIPTOR, *PSERVICE_TABLE_DESCRIPTOR;
#pragma pack(pop)
/*
* The Service Descriptor Table index (4 bytes following the mov opcode)
*
* The index format is as follows:
*
* Leading 18 bits are all zeroes
* Following 2 bits are system service table index (3 bits on Win64)
* Following 12 bits are service number
*/
#define SERVICE_TABLE_INDEX_BITS 2
#define NUMBER_SERVICE_TABLES (1 << SERVICE_TABLE_INDEX_BITS)
#define SERVICE_ID_NUMBER_BITS 12
#define SERVICE_ID_NUMBER_MASK ((1 << SERVICE_ID_NUMBER_BITS) - 1)
/*
* The kernel's service descriptor table, which is used to find the address
* of the service dispatch tables to use for a service ID.
*
* Descriptor 0 is used for core services (NTDLL)
* Descriptor 1 is used for GUI services (WIN32K)
* Descriptors 2 and 3 are unused on current versions of Windows NT.
*/
__declspec(dllimport) SERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable[NUMBER_SERVICE_TABLES];
/*
* not exported
*/
//PSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTableShadow;
void SystemCallHandler0(); void SystemCallHandler1(); void SystemCallHandler2(); void SystemCallHandler3();
void SystemCallHandler4(); void SystemCallHandler5(); void SystemCallHandler6(); void SystemCallHandler7();
void SystemCallHandler8(); void SystemCallHandler9(); void SystemCallHandler10(); void SystemCallHandler11();
void SystemCallHandler12(); void SystemCallHandler13(); void SystemCallHandler14(); void SystemCallHandler15();
void SystemCallHandler16(); void SystemCallHandler17(); void SystemCallHandler18(); void SystemCallHandler19();
void SystemCallHandler20(); void SystemCallHandler21(); void SystemCallHandler22(); void SystemCallHandler23();
void SystemCallHandler24(); void SystemCallHandler25(); void SystemCallHandler26(); void SystemCallHandler27();
void SystemCallHandler28(); void SystemCallHandler29(); void SystemCallHandler30(); void SystemCallHandler31();
void SystemCallHandler32(); void SystemCallHandler33(); void SystemCallHandler34(); void SystemCallHandler35();
void SystemCallHandler36(); void SystemCallHandler37(); void SystemCallHandler38(); void SystemCallHandler39();
void SystemCallHandler40(); void SystemCallHandler41(); void SystemCallHandler42(); void SystemCallHandler43();
void SystemCallHandler44(); void SystemCallHandler45(); void SystemCallHandler46(); void SystemCallHandler47();
void SystemCallHandler48(); void SystemCallHandler49(); void SystemCallHandler50(); void SystemCallHandler51();
void SystemCallHandler52(); void SystemCallHandler53(); void SystemCallHandler54(); void SystemCallHandler55();
void SystemCallHandler56(); void SystemCallHandler57(); void SystemCallHandler58(); void SystemCallHandler59();
void SystemCallHandler60(); void SystemCallHandler61(); void SystemCallHandler62(); void SystemCallHandler63();
void SystemCallHandler64(); void SystemCallHandler65(); void SystemCallHandler66(); void SystemCallHandler67();
void SystemCallHandler68(); void SystemCallHandler69(); void SystemCallHandler70(); void SystemCallHandler71();
void SystemCallHandler72(); void SystemCallHandler73(); void SystemCallHandler74(); void SystemCallHandler75();
void SystemCallHandler76(); void SystemCallHandler77(); void SystemCallHandler78(); void SystemCallHandler79();
void SystemCallHandler80(); void SystemCallHandler81(); void SystemCallHandler82(); void SystemCallHandler83();
void SystemCallHandler84(); void SystemCallHandler85(); void SystemCallHandler86(); void SystemCallHandler87();
void SystemCallHandler88(); void SystemCallHandler89(); void SystemCallHandler90(); void SystemCallHandler91();
void SystemCallHandler92(); void SystemCallHandler93(); void SystemCallHandler94(); void SystemCallHandler95();
void SystemCallHandler96(); void SystemCallHandler97(); void SystemCallHandler98(); void SystemCallHandler99();
void SystemCallHandler100(); void SystemCallHandler101(); void SystemCallHandler102(); void SystemCallHandler103();
void SystemCallHandler104(); void SystemCallHandler105(); void SystemCallHandler106(); void SystemCallHandler107();
void SystemCallHandler108(); void SystemCallHandler109(); void SystemCallHandler110(); void SystemCallHandler111();
void SystemCallHandler112(); void SystemCallHandler113(); void SystemCallHandler114(); void SystemCallHandler115();
void SystemCallHandler116(); void SystemCallHandler117(); void SystemCallHandler118(); void SystemCallHandler119();
void SystemCallHandler120(); void SystemCallHandler121(); void SystemCallHandler122(); void SystemCallHandler123();
void SystemCallHandler124(); void SystemCallHandler125(); void SystemCallHandler126(); void SystemCallHandler127();
void SystemCallHandler128(); void SystemCallHandler129(); void SystemCallHandler130(); void SystemCallHandler131();
void SystemCallHandler132(); void SystemCallHandler133(); void SystemCallHandler134(); void SystemCallHandler135();
void SystemCallHandler136(); void SystemCallHandler137(); void SystemCallHandler138(); void SystemCallHandler139();
void SystemCallHandler140(); void SystemCallHandler141(); void SystemCallHandler142(); void SystemCallHandler143();
void SystemCallHandler144(); void SystemCallHandler145(); void SystemCallHandler146(); void SystemCallHandler147();
void SystemCallHandler148(); void SystemCallHandler149(); void SystemCallHandler150(); void SystemCallHandler151();
void SystemCallHandler152(); void SystemCallHandler153(); void SystemCallHandler154(); void SystemCallHandler155();
void SystemCallHandler156(); void SystemCallHandler157(); void SystemCallHandler158(); void SystemCallHandler159();
void SystemCallHandler160(); void SystemCallHandler161(); void SystemCallHandler162(); void SystemCallHandler163();
void SystemCallHandler164(); void SystemCallHandler165(); void SystemCallHandler166(); void SystemCallHandler167();
void SystemCallHandler168(); void SystemCallHandler169(); void SystemCallHandler170(); void SystemCallHandler171();
void SystemCallHandler172(); void SystemCallHandler173(); void SystemCallHandler174(); void SystemCallHandler175();
void SystemCallHandler176(); void SystemCallHandler177(); void SystemCallHandler178(); void SystemCallHandler179();
void SystemCallHandler180(); void SystemCallHandler181(); void SystemCallHandler182(); void SystemCallHandler183();
void SystemCallHandler184(); void SystemCallHandler185(); void SystemCallHandler186(); void SystemCallHandler187();
void SystemCallHandler188(); void SystemCallHandler189(); void SystemCallHandler190(); void SystemCallHandler191();
void SystemCallHandler192(); void SystemCallHandler193(); void SystemCallHandler194(); void SystemCallHandler195();
void SystemCallHandler196(); void SystemCallHandler197(); void SystemCallHandler198(); void SystemCallHandler199();
void SystemCallHandler200(); void SystemCallHandler201(); void SystemCallHandler202(); void SystemCallHandler203();
void SystemCallHandler204(); void SystemCallHandler205(); void SystemCallHandler206(); void SystemCallHandler207();
void SystemCallHandler208(); void SystemCallHandler209(); void SystemCallHandler210(); void SystemCallHandler211();
void SystemCallHandler212(); void SystemCallHandler213(); void SystemCallHandler214(); void SystemCallHandler215();
void SystemCallHandler216(); void SystemCallHandler217(); void SystemCallHandler218(); void SystemCallHandler219();
void SystemCallHandler220(); void SystemCallHandler221(); void SystemCallHandler222(); void SystemCallHandler223();
void SystemCallHandler224(); void SystemCallHandler225(); void SystemCallHandler226(); void SystemCallHandler227();
void SystemCallHandler228(); void SystemCallHandler229(); void SystemCallHandler230(); void SystemCallHandler231();
void SystemCallHandler232(); void SystemCallHandler233(); void SystemCallHandler234(); void SystemCallHandler235();
void SystemCallHandler236(); void SystemCallHandler237(); void SystemCallHandler238(); void SystemCallHandler239();
void SystemCallHandler240(); void SystemCallHandler241(); void SystemCallHandler242(); void SystemCallHandler243();
void SystemCallHandler244(); void SystemCallHandler245(); void SystemCallHandler246(); void SystemCallHandler247();
void SystemCallHandler248(); void SystemCallHandler249(); void SystemCallHandler250(); void SystemCallHandler251();
void SystemCallHandler252(); void SystemCallHandler253(); void SystemCallHandler254(); void SystemCallHandler255();
void SystemCallHandler256(); void SystemCallHandler257(); void SystemCallHandler258(); void SystemCallHandler259();
void SystemCallHandler260(); void SystemCallHandler261(); void SystemCallHandler262(); void SystemCallHandler263();
void SystemCallHandler264(); void SystemCallHandler265(); void SystemCallHandler266(); void SystemCallHandler267();
void SystemCallHandler268(); void SystemCallHandler269(); void SystemCallHandler270(); void SystemCallHandler271();
void SystemCallHandler272(); void SystemCallHandler273(); void SystemCallHandler274(); void SystemCallHandler275();
void SystemCallHandler276(); void SystemCallHandler277(); void SystemCallHandler278(); void SystemCallHandler279();
void SystemCallHandler280(); void SystemCallHandler281(); void SystemCallHandler282(); void SystemCallHandler283();
void SystemCallHandler284(); void SystemCallHandler285(); void SystemCallHandler286(); void SystemCallHandler287();
void SystemCallHandler288(); void SystemCallHandler289(); void SystemCallHandler290(); void SystemCallHandler291();
void SystemCallHandler292(); void SystemCallHandler293(); void SystemCallHandler294();
// XXX
// SystemCallHandler macro depends on the size of this structure and the offset of the OriginalFunction!
extern struct _ZwCalls
{
PCHAR ZwName; // System call name
USHORT ZwNameLength; // System call name length
USHORT ServiceIDNumber; // System call index (filled in at runtime)
PULONG_PTR HookFunction; // Address of the hijacking function (function that will be called instead of the original system call)
PULONG_PTR OriginalFunction; // PlaceHolder for the address of the original syscall address
BOOLEAN Hijacked; // Flag indicating whether we already hijacked this system call
// or whether this is a special system service that needs to be hijacked initially
};
extern struct _ZwCalls ZwCalls[];
#define ZW_ADD_ATOM_INDEX 8
#define ZW_ADJUST_TOKEN_INDEX 12
#define ZW_CONNECT_PORT_INDEX 33
#define ZW_CREATE_DIRECTORYOBJECT_INDEX 36
#define ZW_CREATE_EVENT_INDEX 37
#define ZW_CREATE_EVENT_PAIR_INDEX 38
#define ZW_CREATE_FILE_INDEX 39
#define ZW_CREATE_JOBOBJECT_INDEX 41
#define ZW_CREATE_KEY_INDEX 43
#define ZW_CREATE_MAILSLOTFILE_INDEX 45
#define ZW_CREATE_MUTANT_INDEX 46
#define ZW_CREATE_NAMEDPIPEFILE_INDEX 47
#define ZW_CREATE_PORT_INDEX 49
#define ZW_CREATE_PROCESS_INDEX 50
#define ZW_CREATE_PROCESSEX_INDEX 51
#define ZW_CREATE_SECTION_INDEX 53
#define ZW_CREATE_SEMAPHORE_INDEX 54
#define ZW_CREATE_SYMLINK_INDEX 55
#define ZW_CREATE_THREAD_INDEX 56
#define ZW_CREATE_TIMER_INDEX 57
#define ZW_CREATE_TOKEN_INDEX 58
#define ZW_CREATE_WAITPORT_INDEX 59
#define ZW_DEBUG_ACTIVEPROCESS_INDEX 60
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -